Firejail: `firejail --noprofile` allows gksu(do) but not pkexec

Created on 16 Aug 2017  路  12Comments  路  Source: netblue30/firejail

I noticed this when trying to build a profile for a program that uses polkit for authentication control.

Running pkexec normally in terminal (not in firejail), I get the standard gui dialog.

$ pkexec bash
<redacted> ~ # id
uid=0(root) gid=0(root) groups=0(root)
<redacted> ~ # exit
exit

Switching to firejail --noprofile, there is no dialog window, and the authentication attempt in the console fails:

$ pkexec bash
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/bash' as the super user
Authenticating as: Fred Barclay,,, (fred)
Password: 
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

However, gksu still provides its standard dialog and allows privilege escalation:

$ gksu bash
Gkr-Message: secret service operation failed: The name org.freedesktop.secrets was not provided by any .service files
bash: cannot set terminal process group (27): Inappropriate ioctl for device
bash: no job control in this shell
<redacted> fred #

_(Strangely, bash seems to freeze at this point. But the privileges have definitely been elevated, as this output shows:)_

$ gksu id
Gkr-Message: secret service operation failed: The name org.freedesktop.secrets was not provided by any .service files
uid=0(root) gid=0(root) groups=0(root)

This isn't ideal, IMHO. Some programs (like etcher) rely on pkexec, and we should probably support allowing privilege escalation with pkexec as well as gksu (though only super-loose sandboxes like firejail --noprofile, of course. 馃槃)

Cheers!

enhancement
Source
picture Fred-Barclay

All 12 comments

It sounds like gksu doesn't depend on DBus whereas pkexec does. firejail --noprofile likely blocks access to the system DBus socket. A new network namespace might also do it.

icasdri picture icasdri on 16 Aug 2017

It sounds like gksu doesn't depend on DBus whereas pkexec does.

Interestingly, I get a different error when allowing dbus access:

$ firejail --protocol=unix --noprofile
Parent pid 4095, child pid 4096
Child process initialized in 12.97 ms
$ pkexec /bin/bash
pkexec must be setuid root

So it looks like it does need at least some access to dbus.

Fred-Barclay picture Fred-Barclay on 16 Aug 2017
👍1

Yes, pkexec needs DBus access. It uses PolicyKit, which is a DBus-only service that someone thought was somehow a better idea than sudo when dealing with command execution (it's great for rights delegation when dealing with DBus services, because there really isn't any other option, but it's overkill for regular command execution). On the other hand, gksu is just a graphical frontend for sudo, so it just needs access to X11 to work.

Ferroin picture Ferroin on 16 Aug 2017
👍1

In my case (Debian stretch), running "pkexec ls /root" in a "firejail --noprofile" crashes. I get this in syslog:
Aug 18 08:59:39 debian kernel: [69861.953292] pkexec[1600]: segfault at 18 ip 00007fc867f01097 sp 00007fc8635ef180 error 4 in libpolkit-agent-1.so.0.0.0[7fc867efb000+9000]

netblue30 picture netblue30 on 18 Aug 2017

lol PolicyKit is a mess and is half-broken on my end even without using firejail (although maybe it's because of hidepid in my case...). It uses a security-hole-ridden mess called DBus and is somehow supposed to be better than sudo. Ugh.

chiraag-nataraj picture chiraag-nataraj on 15 Jul 2018

When I run it, I get the following:

$ firejail --noprofile
$ pkexec ls /root
Error checking for authorization org.freedesktop.policykit.exec: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: process with PID 2 has been replaced

By the way, gksu and gksudo have been removed entirely (at least from Debian and Ubuntu, and probably other Debian derivatives as well), and apparently the recommended way is to use pkexec now, which currently doesn't work within firejail. I suspect it's due to the PID namespace...

chiraag-nataraj picture chiraag-nataraj on 20 Aug 2018

Any update on this? pkexec not working with firejail there's no way to run applications that require it, such as GameHub.

mulecat picture mulecat on 26 Dec 2018

By the way, gksu and gksudo have been removed entirely (at least from Debian and Ubuntu, and probably other Debian derivatives as well)

Also on Fedora systems with F29+RPMFusion there is no gksu, gksudo, kdesudo.

rusty-snake picture rusty-snake on 26 Dec 2018
👍1

just saw that etcher is stated in this issue by @Fred-Barclay

I'm trying to stop etcher from doing calls to networks/internet but I'm not able to get it running properly with firejail (the gui doesn't load properly). Here is my etcher issue witch a screenshot: https://github.com/balena-io/etcher/issues/2772

rradar picture rradar on 8 May 2019

Based on @rradar's comment, I presume this still an issue with pkexec and we should figure out what to do about it.

chiraag-nataraj picture chiraag-nataraj on 20 May 2019
👍1

8204822861fe997328c94b74a16436d64bfd6eed

rusty-snake picture rusty-snake on 25 Nov 2019
👍1 
$ firejail --noprofile /usr/bin/pkexec
pkexec must be setuid root
# removing force-nonewprivs yes
$ firejail --noprofile /usr/bin/pkexec
Refusing to render service to dead parents.
rusty-snake picture rusty-snake on 1 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

francoism90 picture francoism90  路  4Comments
SkewedZeppelin picture SkewedZeppelin  路  3Comments
semente picture semente  路  4Comments
HulaHoopWhonix picture HulaHoopWhonix  路  4Comments
fl-chris picture fl-chris  路  4Comments